From 013643be34ccfacd0be794ff55a89f609d576796 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Wed, 21 Sep 2011 18:40:09 +0000 Subject: [PATCH] Reordered pkinit_server_return_padata(), so that the alg-agility KDF can be called after the reply is encoded, as it needs the encoded reply as one of its arguments. Signed-off-by: Margaret Wasserman git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25217 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/preauth/pkinit/pkinit_srv.c | 28 ++++++++++++++++++------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 1e208fa84..46bcc2ca7 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -796,17 +796,15 @@ pkinit_server_return_padata(krb5_context context, goto cleanup; } } - if ((rep9 != NULL && rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - retval = pkinit_octetstring2key(context, enctype, server_key, - server_key_len, encrypting_key); - if (retval) { - pkiDebug("pkinit_octetstring2key failed: %s\n", - error_message(retval)); - goto cleanup; - } + + /* + * This is DH, so don't generate the key until after we + * encode the reply, because the encoded reply is needed + * to generate the key in some cases. + */ dhkey_info.subjectPublicKey.length = dh_pubkey_len; dhkey_info.subjectPublicKey.data = dh_pubkey; @@ -852,6 +850,7 @@ pkinit_server_return_padata(krb5_context context, } break; } + } else { pkiDebug("received RSA key delivery AS REQ\n"); @@ -995,6 +994,19 @@ pkinit_server_return_padata(krb5_context context, "/tmp/kdc_as_rep"); #endif + /* If this is DH, we haven't computed the key yet, so do it now. */ + if ((rep9 != NULL && + rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || + (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { + retval = pkinit_octetstring2key(context, enctype, server_key, + server_key_len, encrypting_key); + if (retval) { + pkiDebug("pkinit_octetstring2key failed: %s\n", + error_message(retval)); + goto cleanup; + } + } + *send_pa = malloc(sizeof(krb5_pa_data)); if (*send_pa == NULL) { retval = ENOMEM; -- 2.26.2